Africa’s nascent data protection community members share their vision

Members from the first in-person gathering of what could become a pan-African data protection council, and the first time focusing on ID, spoke about their findings and gave advice on control of biometrics and other personal data to an audience at ID4Africa 2019, which included many more potential data protection officers from across the continent.

Data protection and privacy are vital elements of good governance when national ID systems are in place, even more so when these contains the population’s biometrics. Within this context, the first roundtable of African data protection authorities (RADPA) was held Tuesday behind closed doors. Observed by Biometric Update but convened along Chatham House rules, it was “an open and frank exchange,” according to Pam Dixon, Executive Director and Founder of World Privacy Forum, rapporteur of the roundtable and moderator of the public follow-up panel.

In her opening remarks, Dixon gave an overview of the status quo for data protection agencies (DPAs) in Africa, where relations can be strained with governments which do not always confer with the DPAs on data decisions. DPAs do not always have good dialogue with the ID industry, but “something that data protection authorities have that governments don’t is trust,” said Dixon.

In what became a highly collegiate and supportive session, data protection officers from Burkina Faso, Senegal, Mauritius, Côte d’Ivoire, Uganda and South Africa discussed what it means to be independent, how to fund and structure an agency, universal principals of data protection and how Africa should have its own data protection policies.

“Whenever I give a judgement, I try to be innovative,” said Drudeisha Madhub, barrister and commissioner of Mauritius’s data protection authority. Mauritius has one of the most advance DPAs in Africa, allowing Madhub to investigate and give decisions on cases.

Côte d’Ivoire’s commissioner, Leontine Gbato, shared how her authority created a phone app for people to send in complaints: “It even helps people compose their complaints to make it as easy as possible.”

President of Burkina Faso’s Commission on Informatics and Freedoms (the continent’s first DPA), Marguerite Ouedraogo Bonane, stressed the need to keep up with awareness raising, “in the field and as much for the public sector as private, and with plenty of social media.” She encourages others to set up a similar panel to hers, of which nine members include two civil society members as well as two ICT industry professionals.

In contrast, the representative of Africa’s newest DPA does not actually run a standalone DPA as her country, Uganda, didn’t have the money. Stella Alibateese is the director of Regulation and Legal Services within the National Information Technology Authority. The law to empower her department came in effect on May 3. “We can’t wait for something which should have started yesterday,” said Alibateese.

Funding became the key discussion point as the various agencies are funded through presidencies, ministries and raise their own revenues through registrations, authentications and fines. The threat to independence was a key concern of the audience, but the panellists were all assured of their organizations’ autonomy.

“‘Independence’ is not internationally defined,” said Mauritius’s Madhub, adding that another nation’s notion of independence “doesn’t have to be inspired by an American perspective” and that countries should choose what fits their situation.

“Our commission is not linked to a minister, but the presidency, which gives us autonomy,” said Senegal’s Awa Ndiaye, who went on to clarify that ‘linked’ is only the function of funding. “We’re funded as a public service, for citizens, not budgeted”.

Mauritius was the first African nation to recognize the EU’s GDPR, “but it doesn’t mean we import everything in bulk,” said Madhub.

“As Africans, it’s important we have our own framework,” said Sizwe Snail, member of South Africa’s Information Regulator.

“While everyone is scared of GDPR, the principles are the same [as previous policies],” said Uganda’s Alibateese, “I advise people to just make sure they have good business practices”.

Members agreed that they hope the UN’s guidance on data protection will be upgraded from ‘non-binding’ to ‘binding’ at some point soon.